Skip to content

Fix npm security vulnerabilities via yarn resolutions #21236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
geropl wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix npm security vulnerabilities via yarn resolutions #21236

geropl wants to merge 1 commit into from

Conversation

@geropl
Copy link
Member

@geropl geropl commented Jan 9, 2026

Description

Related Issue(s)

Related to CLC-2189

How to test

Documentation

Preview status

gitpod:summary

Build Options

Build
  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer
  • analytics=segment
  • with-dedicated-emulation
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated
Preview Environment / Integration Tests
  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • /werft preemptible
    Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
  • with-monitoring

/hold

@geropl @ona-agent
Fix npm security vulnerabilities via yarn resolutions
380d743 
Add resolutions for transitive dependencies with known vulnerabilities:
- @babel/traverse: CVE-2023-45133
- browserify-sign: pulls in fixed elliptic
- cipher-base: CVE-2025-21531
- elliptic: CVE-2024-48949
- exec-sh: removes vulnerable [email protected] (GHSA-7wpw-2hjm-89gp)
- loader-utils: CVE-2022-37601
- pbkdf2: CVE-2025-21532
- tough-cookie: CVE-2023-26136

Co-authored-by: Ona <[email protected]>
kylos101
kylos101 reviewed Jan 9, 2026
View reviewed changes
resolutions-explanation.md
Copy link
Contributor

@kylos101 kylos101 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file seems unnecessary, maybe you can remove?

kylos101
kylos101 approved these changes Jan 9, 2026
View reviewed changes
Copy link
Contributor

@kylos101 kylos101 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a couple questions, not blocking

package.json
Comment on lines +29 to +37
"sha.js": "2.4.12",
"@babel/traverse": "^7.23.2",
"browserify-sign": "^4.2.5",
"cipher-base": "^1.0.5",
"elliptic": "^6.6.1",
"loader-utils": "^2.0.4",
"exec-sh": "^0.4.0",
"pbkdf2": "^3.1.3",
"tough-cookie": "^4.1.3"
Copy link
Contributor

@kylos101 kylos101 Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting. I take it this is for any component, which is different from dev/npm-tools which is for global dependencies?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kylos101 kylos101 kylos101 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@geropl @kylos101